Logstash cannot parse httpdate even pattern is correct

rogerwang · February 12, 2020, 6:39am

Hi,
I was converting the filebeat pipeline to logstash since I need to use the translate filter. everything seems fine except the date filter is giving me the "_dateparsefailure" and it is not able to parse the time correctly.

In order to simplify the question, I use below command to debug:

# echo "09/Feb/2020:07:12:13 +1100" | /usr/share/logstash/bin/logstash -e 'input { stdin {} } filter {date { match => [ "message","dd/MMM/yyyy:HH:mm:ss Z" ] } } output { stdout { codec => rubydebug } }'

As you can see in the result, the time is not parsed:

{
      "@version" => "1",
       "message" => "09/Feb/2020:07:12:13 +1100",
          "tags" => [
        [0] "_dateparsefailure"
    ],
    "@timestamp" => 2020-02-12T06:26:35.593Z,
          "host" => "au1-int-elk03"
}

I don't know why this is happened and how to fix the problem.

grumo35 · February 12, 2020, 8:21am

I dont know, this looks strange, have you tried to strip the "/" maybe this is it ?

rogerwang · February 12, 2020, 11:38am

Finally solve it. It should be logstash compatibility issue with the Java 11 openjdk. Once I downgrade the java version to 1.8.0 and the problem is fixed immediately. Just report here in case someone has the same problem.

system · March 11, 2020, 11:38am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.